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1.Refer to the exhibit. 


vEdge? show crypto isakmp sa 


Irpv4 Crypto ISAKM 
dst 


While troubleshooting an IPsec connection between a Cisco WAN edge router and an 
Amazon Web Services (AWS) endpoint, a network engineer observes that the 
security association status is active, but no traffic flows between the devices What is 
the problem? 

A. wrong ISAKMP policy 

B. identity mismatch 


: S 
C. wrong encryption 8 
D. IKE version mismatch g 
Answer: B O 

Kà 


Explanation: a 
An identity mismatch occurs when the local and remotgddentities configured on the 
IPsec peers do not match. This can prevent the establishment of an IPsec tunnel or 
cause traffic to be dropped by the IPsec policy. Infis case, the network engineer 
should verify that the local and remote identities configured on the Cisco WAN edge 
router and the AWS endpoint match the valyés expected by each peer. The identities 
can be an IP address, a fully qualified dggfain name (FQDN), or a distinguished name 
(DN). The identities are exchanged dusng the IKE phase 1 negotiation and are used 
to authenticate the peers. If the ideritties do not match, the peers will reject the IKE 
proposal and the IPsec tunnel witnot be established or will be torn down. 

Reference: = Configure IOS-XÈ Site-to-Site VPN Connection to Amazon Web 
Services, Topic: Troubleshgodting Designing and Implementing Cloud Connectivity 
(ENCC) v1.0, Module 3.4inplementing Cloud Connectivity, Lesson 2: Implementing 
Cisco SD-WAN Clou¢nRamp for laaS, Topic: Troubleshooting Cisco SD-WAN 
Cloud OnRamp fogfáaS Cisco IOS Security Configuration Guide, Release 15M&T, 
Chapter: Configgting IPsec Network Security, Topic: Configuring IPsec Identity and 
Peer Addressing 


2.Refer to the exhibit. 


vedgel# show policy from-vsmart 
apply-policy 
site-list sitel 
control-policy prefer local out 
t 
policy 
lists 
site-list sitel 
site-id 100 
tloc-list prefer sitel 
tloc 10.1.1.1 color mpls encap ipsec preference 100 
control-policy prefer local 
sequence 10 
match route 
site-list sitel 
! 


action accept 
set 
tloc-list prefer sitel 


xO 
A network engineer discovers that the policy shat is configured on an on-premises 
Cisco WAN edge router affects only the rofe tables of the specific devices that are 
listed in the site list. Ka 
What is the problem? $ 
A. An inbound policy must be appli@d. 
B. The action must be set to defy 
C. A localized data policy mgst be configured. 
D. A centralized data policy must be configured 
Answer: D oe 
Explanation: eY 
A centralized data policy is a policy that is applied to all devices in the overlay 
network, regarfless of the site list. A localized data policy is a policy that is applied 
only to the devices that are listed in the site list. In this case, the network engineer 
wants to apply the policy to all devices in the overlay network, not just the specific 
devices in the site list. Therefore, a centralized data policy must be configured on the 
on-premises Cisco WAN edge router. 
Reference: = Designing and Implementing Cloud Connectivity (ENCC) v1.0, Module 
3: Implementing Cloud Connectivity, Lesson 3: Implementing Cisco SD-WAN Cloud 
OnRamp for Colocation, Topic: Centralized Data Policy [Cisco SD-WAN Cloud 
OnRamp for Colocation Deployment Guide], Chapter: Configuring Centralized Data 
Policy 


3.A company with multiple branch offices wants a connectivity model to meet its 
network architecture requirements. The company focuses on ensuring low latency 
and efficient routing for its critical business applications. 
Which connectivity model meets these requirements? 
A. hub-and-spoke topology with SD-WAN technology, using dynamic routing and 
OSPF as the routing protocol 
B. fully meshed topology with SD-WAN technology, using dynamic routing and BGP 
as the routing protocol 
C. point-to-point topology using dedicated leased lines and static routing 
D. star topology with internet-based VPN connections and static routing 
Answer: B 
Explanation: p 
A fully meshed topology with SD-WAN technology, using dynamic reting and BGP 
as the routing protocol, meets the requirements of the company b&cause it provides 
the following benefits: oe 
It allows direct and secure connectivity between any two braich offices, without the 
need for a central hub or intermediary devices12. This resuces the latency and 
improves the performance of the critical business ap tations. 
It leverages SD-WAN technology to optimize the Ea flow and application quality of 
service (QoS) across the WAN13. SD-WAN can®ynamically select the best path for 
each application based on the network conditiéns and policies13. SD-WAN can also 
provide redundancy, security, and visibilityfor the WAN13. 
It uses dynamic routing and BGP as thgfouting protocol to exchange routing 
information and establish connectivity-between the branch offices14. BGP is a 
scalable and flexible protocol thagéan support multiple address families, such as IPv4 
and IPv6, and multiple routing policies, such as local preference and route filtering14. 
BGP can also enable seamlgés integration with the cloud service providers (CSPs) 
and internet service providérs (ISPs)14. 
Reference: = 1: Desi Aifig and Implementing Cloud Connectivity (ENCC, Track 1 of 5) 
(Cisco U. login required) 2: Cisco SD-WAN Design Guide 

% 


of 
4.DRAG DROP 

An engineer signs in to Cisco vManage and needs to configure a custom application 
with a Cisco SD-WAN centralized policy. 


Drag and drop the steps from the left onto the order on the right to complete the 
configuration. 


Click Custom Options, select Centralized 
Policy, and then select Lists. 


Enter a name for the application, enter the match 
criteria, and then click Add. 


Click Custom Applications, and then select New 
Custom Application. 


Click Configuration, select Policies, 
and then select Centralized Policy. 


Answer: 


Click Custom Options, select Centralized 
Policy, and then select Lists. 


Enter a name for the application, enter the match 
criteria, and then click Add. 


Click Custom Applications, and then select New 
Custom Application. 


Click Configuration, select Policies, 
and then select Centralized Policy. 


Explanation: 


Click Configuration, select Policies, 
and then select Centralized Policy. 


Click Custom Options, select Centralized 
Policy, and then select Lists. 


| res | 


Custom Application. 


Enter a name for the application, enter the match 
criteria, and then click Add, 


Click Custom Applications, and then select New | 


To configure a custom application wif Cisco SD-WAN centralized policy, you need to 


follow these steps25: <? 


Click Configuration, select Poligves, and then select Centralized Policy. 

Click Custom Options, selegsCentralized Policy, and then select Lists. 

Click Custom Applicationg and then select New Custom Application. 

Enter a name for the application, enter the match criteria, and then click Add. 

The process of configuring a custom application with a Cisco SD-WAN centralized 
policy using Cisge VManage involves several steps1. 

Click Configurdfion, select Policies, and then select Centralized Policy: This is the first 
step where you navigate to the Policies section in the Configuration menu of Cisco 


vManaget1. 


Click Custom Options, select Centralized Policy, and then select Lists: In this step, 
you select the Custom Options, then select Centralized Policy, and finally select 


Lists1. 


Click Custom Applications, and then select New Custom Application: After setting up 
the Lists, you click on Custom Applications and then select New Custom Application1. 
Enter a name for the application, enter the match criteria, and then click Add: Finally, 


you enter a 


name for the application, specify the match criteria, and then click Add to complete 


the 
configuration1. 
Reference: = Cisco Catalyst SD-WAN Policies Configuration Guide, Cisco IOS XE 


5.Which Microsoft Azure service enables a dedicated and secure connection between 

an on-premises infrastructure and Azure data centers through a colocation provider? 

A. Azure Private Link 

B. Azure ExpressRoute 

C. Azure Virtual Network 

D. Azure Site-to-Site VPN 

Answer: B 

Explanation: p 

Azure ExpressRoute is a service that enables a dedicated and secuté connection 

between an on-premises infrastructure and Azure data centers thiugh a colocation 

provider. A colocation provider is a third-party data center thatóffers network 

connectivity services to multiple customers. Azure ExpressRÖute allows customers to 
me D. i 

bypass the public internet and connect directly to Azure services, such as virtual 

machines, storage, databases, and more. This provides benefits such as lower 

latency, higher bandwidth, more reliability, and enkaniced security. Azure 

ExpressRoute also supports hybrid scenarios, s&h as connecting to Office 365, 

Dynamics 365, and other SaaS applications, b6sted on Azure. Azure ExpressRoute 

requires a physical connection between théCustomer’s network and the colocation 

provider’s network, as well as a logical ,66nnection between the customer’s network 

and the Azure virtual network. The lggical connection is established using a Border 

Gateway Protocol (BGP) session Ñ ich exchanges routing information between the 

two networks. Azure ExpressRéute supports two models: standard and premium. The 

standard model offers conngetivity to all Azure regions within the same geopolitical 

region, while the premiuny model offers connectivity to all Azure regions globally, as 

well as additional featyyés such as increased route limits, global reach, and Microsoft 

peering. ot 

Reference: Designing and Implementing Cloud Connectivity (ENCC) v1.0, Learning 

Plan: Designin§’and Implementing Cloud Connectivity v1.0 (ENCC 300-440) Exam 

Prep, ENCC | Designing and Implementing Cloud Connectivity | Netec 


6.An engineer must enable the OMP advertisement of BGP routes for a specific VRF 
instance on a Cisco IOS XE SD-WAN device. 

What should be configured after the global address-family ipv4 is configured? 

A. Set the VRF-specific route advertisements. 

B. Enable bgp advertisement. 

C. Enter sdwan mode. 

D. Disable bgp advertisement. 


Answer: B 

Explanation: 

To enable the OMP advertisement of BGP routes for a specific VRF instance on a 
Cisco IOS XE SD-WAN device, the engineer must first configure the global address- 
family ipv4 and then enable bgp advertisement under the vrf definition. This will allow 
the device to advertise the BGP routes learned from the cloud provider to the OMP 
control plane, which will then distribute them to the other SD-WAN devices in the 
overlay network? 

Reference: = 1: Designing and Implementing Cloud Connectivity (ENCC) v1.0, 
Module 3: 

Implementing Cloud Connectivity, Lesson 3: Configuring IPsec VPN from Cisco IOS 
XE to AWS, Topic: 

Configuring BGP on the Cisco IOS XE Device, Page 3-24. p 


7.Refer to the exhibit. oO 


local?.debug: Mar 11 11:31:11 VEDGE-1 VDAZWON[1136]: 
SVDAEMON DBG EVENTS-1: Disabling tice ged 1. 
local7.info: Mar 11 11:31:31 VEDGE-1 VDAEMON([1136): S$Viptelae-VEDGE-1-vdaemon~-€-INPO-1400002: 
Notsfication: 

3/11/2023 11:31:11 contrcol-connection-etate-change severity-level:rmajor hceet-nanme: “VEDGZ-1" 
ey2stem-ip:10.10.10.1 

personality:vEdge peer-type:vmanage peer-system-ip:10.30.30.1 peer-veanage-system-ip:0.0.0.0 
public-ip:20.20.20.20 

public-port:12947 sre-color:biz-internet remote-color:public-internet uptime:"0:01:36:34" new- 


loc(i308): 


state:down 
local?.info: Mar 11 11:31:11 VEDGE-1i FPIMD[112€): $Viptela-VEDGE-1-ftmd-é-INPO-1400002: 
Notification: 
3/11/2023 11:31:11 bfd-state-change sceverity-levelimaiozr host~name:"VEDCE-i" syasten- 
4p:10.10.10.1 sro~ip:20.20.30.2 
dst~ip:20.20.30.20 proto:ipsec sre~port:1240€ dst-port:12347 local-system-ip:10.10.10.1 local 


color: "bis-isternet 
emote-system-ip:10.10.10.4 remote-color:"public-internet”™ new-state:down deleted: false flap 
reason: bid-deleted 


10.30.30.1 
DT 10.10.20.5 


tar aniternet 
20.20.20.0/24 


1.40401 


e 
pubik interret 


7020.00 


1030.701 


Refer to the exhibits. An engineer troubleshoots a Cisco SD-WAN connectivity issue 
between an on-premises data center WAN Edge and a public cloud provider WAN 
Edge. The engineer discovers that BFD is Dapping on vEdge1. 

What is the problem? 

A. The remote Edge device BFD is down. 

B. The remote Edge device failed to respond BFD keepalives. 

C. The remote Edge device has a duplicate IP address. 

D. The control plane deleted the BFD session. 

Answer: B 

Explanation: 

BFD (Bidirectional Forwarding Detection) is a protocol that detects failures in the 
overlay tunnel between Cisco SD-WAN devices. BFD packets are senkand received 
periodically by each device to check the liveliness and quality of thewonnection. lfa 
device does not receive a BFD packet from its peer within a specified timeout interval, 
it considers the peer to be unreachable and reports a BFD dowtt event. This event 
triggers a control connection state change and a possible roie change in the SD- 
WAN fabric. & 

In this scenario, the engineer discovers that BFD is flaSping on vEdge1, which means 
that the BFD session between vEdge1 and the regg@te Edge device is going up and 
down repeatedly. This indicates x9 

a connectivity issue between the two devicegsŠuch as network congestion, packet 
loss, or misconfiguration. The most likely @fuse of the problem is that the remote 
Edge device failed to respond BFD keepalives within the timeout interval, which 
resulted in a BFD timeout event on y&dge1. This event caused vEdge1 to mark the 
remote Edge device as down ang fotity the control plane. The control plane then tried 
to establish a new BFD sessignwith the remote Edge device, which may have 
succeeded or failed dependifig on the network condition. This cycle of BFD session 
creation and deletion cayséd the BFD flapping on vEdge1. 

The other options are Ss likely to be the cause of the problem. Option A is incorrect 
because if the remote Edge device BFD was down, vEdge1 would not receive any 
BFD packets frog it and would not flap. Option C is incorrect because if the remote 
Edge device hd a duplicate IP address, vEdge1 would not be able to establish a 
BFD session with it in the first place. Option D is incorrect because the control plane 
does not delete the BFD session unless there is a configuration change or a port-hop 
event on the device. 

Reference: Bidirectional Forwarding Detection Flap-Reason Definitions on Cisco 
vEdge Routers, Cisco Catalyst SD-WAN BFD, Cisco SD WAN: BFD (Bidirectional 
Forwarding Detection) 


8.An engineer is implementing a highly secure multitier application in AWS that 
includes S3. RDS, and some additional private links. 


What is critical to keep the traffic safe? 

A. VPC peering and bucket policies 

B. specific routing and bucket policies 

C. EC2 super policies and specific routing policies 
D. gateway load balancers and specific routing policies 

Answer: B 

Explanation: 

A highly secure multitier application in AWS that includes S3, RDS, and some 
additional private links requires specific routing and bucket policies to keep the traffic 
safe. The reasons are as follows: Specific routing policies are needed to ensure that 
the traffic between the tiers is routed through the private links, which provide secure 
and low-latency connectivity between AWS services and on-premises resources] 2. 
The private links can also prevent the exposure of the data and the appicallon logic 
to the public internet12. Rod 

Bucket policies are needed to control the access to the S3 buckets that store the 
application data34. Bucket policies can specify the conditions ẹfder which the 
requests are allowed or denied, such as the source IP address, the encryption status, 
the request time, etc.34. Bucket policies can also A a in transit and at 
rest for the data in 8334. 


eo 
Reference: = ge? 
1: AWS PrivateLink x9 
2: AWS PrivateLink FAQs À 
3: Using Bucket Policies and User Policies 
4: Bucket Policy Examples Pg 
we 

Ka 

9.DRAG DROP ” 


Drag and drop the commands from the left onto the purposes on the right to identify 
issues on a Cisco IOS X5 ŠD- WAN device. 


Ea 


Display the time and process information of the 


Show daan policy app-toute-policy-fiitar | device, as well as CPU, memory, and disk usage data. 


show sdwan security-info Validate the configured zone-based firewall. 


Display information about application-aware routing policy 


show sdwan system status matched packet counts on the Cisco 10S XE SD-WAN devices. 


|View the security information that is configured for IPsec tunnel 


show policy-firewall config | connections. 


Answer: 


show sdwan policy app-route-policy-filter show sdwan system status 
show sdwan security-info show policy-firewall config 
show sdwan system status show sdwan policy app-route-policy-filter 
show policy-firewall config show sdwan security-info 
Explanation: 
Display the time and process information of the device, as well as Or memory, and 
disk usage dat a. = show sdwan system status1 v 


Validate the configured zone-based firewall. = show policy- -tirewalteontig1 

Display information about application-aware routing policy matefied packet counts on 
the Cisco IOS XE SD-WAN devices. = show sdwan policy apb- route-policy-filter1 
View the security information that is configured for IPsegattinnel connections. = show 
sdwan security-info 

The commands used to identify issues on a cage XE SD-WAN device are as 
follows1: Put 

show sdwan system status: This command igstised to display the time and process 
information of the device, as well as CPU gremory, and disk usage data1. 

show policy-firewall config: This commafd i is used to validate the configured zone- 
based firewall1. we 

show sdwan policy app-route- -polieg filter: This command is used to display 
information about ” 

application-aware routing pgiy matched packet counts on the Cisco IOS XE SD- 
WAN devices]. K 

show sdwan security- into: This command is used to view the security information that 


is configured xe 
for IPsec tunnel gonnections1 : 
Reference: = 


Cisco IOS XE Catalyst SD-WAN Qualified Command Reference 

Cisco Catalyst SD-WAN Command Reference 

Cisco Catalyst SD-WAN Systems and Interfaces Configuration Guide, Cisco IOS XE 
SD-WAN Tunnel Interface Commands - Cisco 


10.Refer to the exhibits. 


“A E10 EN0/% A 
| nage ee f 

e 10.0.5.1/24 10.0.5.2/24 D 

| 10,0.1.2/24 

10.0.1.1/24 

‘(fp eae i Cee 

UPR / EBGP VPN4 ER 
Peering 


While troubleshooting, a network engineer discovers that the backup path fails 
between ASBR3 and ASBR4 for traffic between BGP AS6000 and BEP AS6500 
when the connection between ASBR1 and ASBR2 goes down. £ 

The following configurations were performed on ASBR1: ra 


KS 
ASBR1(config)# router bgp 6000 
ASBR1 (config-router}# address-family vpn4 
ASBR1 (config-router-af)# neighbor 10.0.5.2 remote-as 6500 
ASBR1 (config-router-af}# neighbor 10.0.5.2 activate 
ASBR1 (config-router-af)# neighbor 10.0.5.2 fall-over bfd 
ASBR1 (config-router-af)# end 


ee 
we 

Which command is missing? oÙ 

A. bgp additional-paths Install 

B. bgp additional-paths seleét 

C. redistribute static x 

D. bgp advertise- bes{#xternal 

Answer: D ve? 

Explanation: „g 

The bgp advertise-best-external command is used to enable the advertisement of the 

best external path to internal BGP peers. This command is useful when there are 

multiple exit points from the local AS to other ASes, and the local AS wants to use the 

closest exit point for each destination. By default, BGP only advertises the best path 

to its peers, and the best path is usually the one with the lowest IGP metric to the next 

hop. However, this may not be the optimal path for traffic leaving the local AS, as it 

may result in suboptimal hot-potato routing or MED oscillations. The bgp advertise- 

best-external command allows BGP to advertise the best external path, which is the 

path with the lowest MED among the paths from different neighboring ASes, in 

addition to the best path. This way, the internal BGP peers can choose the best exit 

point based on the MED value, rather than the IGP metric. In this scenario, ASBR1 is 


configured to receive additional paths from ASBR2, which is a route reflector. ASBR2 
receives two paths for the same prefix from AS6500, one from ASBR3 and one from 
ASBR4. ASBR2 selects the best path based on the IGP metric to the next hop, and 
advertises it to ASBR1. However, this path may not be the best external path, as it 
may have a higher MED value than the other path. If the connection between ASBR1 
and ASBR2 goes down, ASBR1 will not have any backup path to reach AS6500, as it 
does not know the other path from ASBR4. To prevent this situation, ASBR1 should 
be configured with the bgp advertise-best-external command, so that it can receive 
the best external path from ASBR2, along with the best path. This way, ASBR1 will 
have a backup path to reach AS6500, in case the primary path fails. 

Reference: = IP Routing: BGP Configuration Guide - BGP Additional Paths ... - Cisco, 
BGP Additional Paths 
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